Crowell & Moring

California AG Defines “Reasonable Security;” Apple Opposes FBI Hack Request; Russia to Enforce Data Localization with (Surprise) Audits; HHS Helps Health App Developers Determine if Subject to HIPAA; Carrier IQ Agrees to $9M Data Leak Settlement

California AG Defines “Reasonable Security”

California Attorney General (AG) Kamala Harris published the 2016 “California Data Breach Report,” which lays out what the state believes to be “reasonable security” for the purpose of California’s law that requires protecting personal information.

This is the first time California has recommended an external industry standard as a baseline “reasonable security” requirement. According to the California AG, the chosen standard (Center for Internet Security’s (CIS) Critical Security Controls (formerly known as the SANS Top 20)), is a consensus list of the “best defensive controls to detect, prevent, respond to, and mitigate damage from cyber attacks,” and is updated periodically to keep up with technology. The FTC has previously recommended using industry standards, but did not go as far as California in prescribing a particular one.

Given California’s size and prominence as an active enforcer of privacy and security laws, and the fact that its privacy law applies to most businesses that collect personal information on California residents, these recommendations essentially create a set of baseline requirements for many companies.

Although consumer protection laws require “reasonable security,” to protect personal information, they historically have not defined “reasonable security.”  The California AG report fills in those details. Though called “recommendations” in the report, the AG indicated that failure to implement the recommendations will generally be deemed unreasonable.

The specific recommendations are:

  • Implement the CIS Critical Security Controls, which define a minimum level of information security practices (e.g., configure securely, update continuously, block access, and test and plan response). The AG notes that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security” – which makes this the most strongly worded “recommendation.”
  • Use multi-factor authentication for critical systems/data, and on consumer-facing online accounts that contain sensitive personal information (including online shopping, health care, and web-based email).
  • Use encryption on laptops and personal devices (given the very high frequency of lost/stolen portable device data breaches) – particularly in health care organizations.
  • Encourage affected data subjects to place a fraud alert on their credit files when Social Security or driver’s license numbers are breached.

Apple Opposes FBI Order to Hack San Bernardino Shooter’s iPhone

Apple publicly announced its opposition to a federal court’s order to provide the FBI with hacking support to defeat the security protections of the iPhone belonging to one of the San Bernardino shooters. Federal prosecutors have a search warrant for the phone but have not been able to access the encrypted data – prompting them to get a court order to force Apple to help them bypass the 10-attempt-then-erase-all-data function and access the phone by brute force attempts. Apple staunchly opposes the order, which it characterizes as an encryption “back door,” steeply escalating the public debate over encryption back doors.

The FBI would like tech companies to assist them when needed to circumvent encryption technology so that law enforcement can access the personal data of suspects on a case-by-case basis. Many in the technology field oppose any sort of encryption work around (or back door) because it may mean that criminals and authoritarian governments would be able to exploit the access points for nefarious purposes if the access points exist at all. The newly stoked public debate, and the consequences of Apple refusing the order, could easily lead to a climax of the encryption back door debate in the near future. The precedent will have a lasting effect on the future of technology.

Russia to Enforce Data Localization with (Surprise) Audits

The Russian Federal Service for Oversight of Communications, Information Technology and Mass Media (known as Roscomnadzor), announced that it will make unplanned checks on companies for compliance with Russia’s new data localization regulations, in addition to the planned audits for 2016. Roscomnadzor said that it will deal with noncompliance “individually and substantially” but give companies time to comply with the law – adding that “stern refusal to comply” would lead to a lawsuit aimed to discontinue a company’s operations in Russia. The data localization law (No. 242-FZ), which went into effect on September 1, 2015, requires companies to store the personal data of Russian citizens in databases located in Russia. The law until now has been largely untested.

The surprise audits foreshadow just how much teeth the law will have. Companies should also be aware that, in its quest to enforce the law, Roscomnadzor is reviewing companies’ user agreements for evidence that personal data is being collected on Russian citizens, which means that foreign companies claiming to collect or use personal data from Russian citizens are an easy target for audits.

HHS Guidance: Does Your Health App Have to Comply with HIPAA?

The U.S. Department of Health and Human Services (HHS) provided use scenarios to aid health app developers to determine whether their activities and apps are subject to the rules of the Health Information Portability and Accountability Act (HIPAA). HIPAA requires covered entities (e.g., health plans and health care providers) to comply with the HIPAA rules, and business associates (e.g., those creating or offering apps on behalf of a covered entity or other business associate) to comply with certain HIPAA rules. The guidance released by HHS will help app developers with the threshold determination of whether they are subject to HIPAA. HHS has said it intends to provide more guidance to the public. This recent guidance follows the HHS Office of the National Coordinator for Health Information Technology’s publication of PHI disclosure fact sheets (describing permissible information exchanges for health care operations and treatment) published in early February.

Carrier IQ Inc. Class Agrees to $9 Million Settlement

In the multidistrict litigation case In re Carrier IQ Inc. Consumer Privacy Litigation, plaintiffs alleged Carrier IQ’s mobile phone software allowed manufacturers to intercept data including URLs, search terms, user names and passwords, and text messages (despite the software’s simply stated purpose of tracking dropped calls to improve service). The news stories of the purported privacy shortfalls broke in 2012 and more than 70 privacy lawsuits followed before the consolidation.

The parties have now announced their agreement on a $9 million settlement. This case highlights the importance of companies limiting data sharing (even between software manufacturers and the hardware manufacturers they support), providing appropriate notices, and securing transmissions of private communications.